diff options
| author | Yorhel <git@yorhel.nl> | 2014-10-15 14:20:56 +0200 |
|---|---|---|
| committer | Yorhel <git@yorhel.nl> | 2014-10-15 14:20:56 +0200 |
| commit | 6e0a0e1d00e11da9b4eab2163e19314f752b05b5 (patch) | |
| tree | a65e4b62d81d395c9988f7045b4e83deec8b2485 /lib/VNDB/Handler/Users.pm | |
| parent | 13e967810a8b336164d22167bb047ad1dbb5a836 (diff) | |
Use scrypt for new password hashes
I increased the N parameter to approximate about 500ms to generate the
hash. This is quite a paranoid setting for a website, but login attempts
are throttled so there's not much of a DoS factor. (Alright, password
changing feature isn't throttled so the DoS factor still exists. But
really, there's some pages with longer page generation times anyway.)
I did lower the size of the salt a bit (Crypt::ScryptKDF uses 256 bits
by default), because 64 bits of randomness should have low enough chance
of collision with only ~100k users (even with a million users,
seriously).
Diffstat (limited to 'lib/VNDB/Handler/Users.pm')
| -rw-r--r-- | lib/VNDB/Handler/Users.pm | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm index bcf94fb4..804b9467 100644 --- a/lib/VNDB/Handler/Users.pm +++ b/lib/VNDB/Handler/Users.pm @@ -210,7 +210,6 @@ sub newpass { my $token; ($token, $o{passwd}) = $self->authPrepareReset(); $self->dbUserEdit($u->{id}, %o); - #warn "$self->{url}/u$u->{id}/setpass?t=$token"; $self->mail(mt('_newpass_mail_body', $u->{username}, "$self->{url}/u$u->{id}/setpass?t=$token"), To => $frm->{mail}, From => 'VNDB <noreply@vndb.org>', @@ -310,7 +309,6 @@ sub register { if(!$frm->{_err}) { my($token, $pass) = $self->authPrepareReset(); my $uid = $self->dbUserAdd($frm->{usrname}, $pass, $frm->{mail}); - warn "$self->{url}/u$uid/setpass?t=$token"; $self->mail(mt('_register_mail_body', $frm->{usrname}, "$self->{url}/u$uid/setpass?t=$token"), To => $frm->{mail}, From => 'VNDB <noreply@vndb.org>', @@ -384,8 +382,8 @@ sub edit { $frm->{skin} = '' if $frm->{skin} eq $self->{skin_default}; $self->dbUserPrefSet($uid, $_ => $frm->{$_}) for (qw|skin customcss show_nsfw hide_list |); my %o; - $o{username} = $frm->{usrname} if $frm->{usrname}; if($self->authCan('usermod')) { + $o{username} = $frm->{usrname} if $frm->{usrname}; $o{perm} = 0; $o{perm} |= $self->{permissions}{$_} for(@{ delete $frm->{perms} }); } @@ -393,9 +391,7 @@ sub edit { $o{passwd} = $self->authPreparePass($frm->{usrpass}) if $frm->{usrpass}; $o{ign_votes} = $frm->{ign_votes} ? 1 : 0 if $self->authCan('usermod'); $self->dbUserEdit($uid, %o); - $self->dbSessionDel($uid) if $frm->{usrpass}; - return $self->resRedirect("/u$uid/edit?d=1", 'post') if $uid != $self->authInfo->{id} || !$frm->{usrpass}; - return $self->authLogin($frm->{usrname}||$u->{username}, $frm->{usrpass}, "/u$uid/edit?d=1"); + return $self->resRedirect("/u$uid/edit?d=1", 'post'); } } |